IBM Support

QRadar: Detecting SMB1 & SMBv2 Traffic with QFlow (Updated)



How do I use QFlow to detect and identify systems in your network that generate SMBv1 traffic?


SMBv1 traffic has been associated with ransom-ware propagation and is generally considered obsolete.


Any QRadar version using a QFlow Collector connected to a SPAN/TAP port. Using the application signatures file, you can create content and IP address based detection rules that assign custom application IDs to flows that QRadar does not automatically detect.

Resolving The Problem

To configure your QFlow to be able to specifically detect SMBv1 versus SMBv2 traffic you will need to modify signatures.xml with custom signature stanzas. This update allows users to identify flows detected using a SMBv1 or SMBv2 protocol header in the Network Activity interface.

UPDATE: A flow can be associated with multiple signatures. When a flow is mapped to an application ID, this is done based on the signature order in the file. The first signature that applies in the file is assigned to the flow. In this procedure, administrators should place the new stanzas at the top of the signatures XML file. This will prevent the flow from generating multiple detections for IDs 1014 and 1021.

This procedure allows QRadar's Network Activity tab to identify SMBv1 and SMBv2 traffic from the Application column of the user interface.
  1. Using an SSH session log in to the QRadar Console.
  2. Navigate to the globalconfig directory: /store/configservices/staging/globalconfig
    For example: cd /store/configservices/staging/globalconfig
  3. To backup signatures.xml , type the folllowing command:
    cp -p /store/configservices/staging/globalconfig/signatures.xml /store/configservices/staging/globalconfig/signatures.xml.bak
  4. Open the file in any text editor or right-click and select Save as from your browser: QRadar_SMBv1_2_signatures.xml.

    Important: This file contains four new signatures to detect SMBv1 and SMBv2 in flows. The contents of this file must be added to signatures.xml on your QRadar appliance; however, do not copy the first line of the XML 1.0 header from the file as you only require the signature elements. The QRadar signatures.xml on the Console appliance already contains a XML 1.0 header line.

  5. Copy the four signature stanzas from the XML file to customize your signatures.xml to notepad or equivalent text editor. The new stanzas should appear as the first signatures in the file. This will ensure that the new signatures for 15001 and 15002 are identified properly, since the file is read in order from start to end.

    NOTE: There are four signatures which account for SMBv1 and SMBv2 as well as SRC and DST for each protocol. If users decide to introduce additional signature values, they should ensure that the sigid element <sigid> uses the proper numeric range.

    Reference for <sigid> reserved values:
    - Sigid values in the range of 1000 to 1999 are reserved for QRadar development team updates.
    - Sigid values in the range of 2000 to 2999 for support team updates and technical notes.
    - Sigid values in the range of 3000+ are reserved for customer use.

  6. Using vi editor (or your Linux editor of choice), edit /store/configservices/staging/globalconfig/signatures.xml
  7. Copy the four custom signatures stanzas to signatures.xml
  8. To save your changes, type: esc :wq
  9. Navigate to the file /store/configservices/staging/globalconfig/apps.conf
    For example, cd /store/configservices/staging/globalconfig/apps.conf
  10. To backup apps.conf, type the following command: cp -p /store/configservices/staging/globalconfig/apps.conf /store/configservices/staging/globalconfig/apps.conf.bak
  11. Using vi editor open apps.conf and search for the line that starts with DataTransfer#lockd####60068.

    NOTE: To locate this line, type this command at the vi prompt: /DataTransfer#lockd####60068

  12. Add two SMB Protocol lines between DataTransfer#lockd####60068 and DataTransfer#Microsoft-ds####60142.

    For example, the text below displays the order of lines in your updated apps.conf file:

  13. To save the changes, type: esc :wq
  14. Log in to the Console as an administrator.

    NOTE: A deploy full configuration will restart services on all managed hosts in the deployment. It is typically recommended that you alert your users to this task as services as temporarily restarted, which interrupts event and flow collection.

  15. On the Admin tab, click Advanced > Deploy Full Configuration.

    Results: After the deploy completes, users in the Network Activity tab should be able to distinguish between SMBv1 and SMBv2 protocol flows.


IMPORTANT: Preserving your changes
Administrators who make changes to files within QRadar automatic updates, such as signatures.xml must verify the configuration settings when new auto updates are provided. To prevent the signatures.xml file from being overwritten the Update Type needs to be set to Auto Integrate.

  1. Click the Admin tab.
  2. Click the Auto Update icon.
  3. Click Change Settings.
  4. To merge your existing configuration files when an auto update runs, select Auto Integrate.
  5. Click Save.

    Any manual change made by administrators to the custom signatures in /store/configservices/staging/globalconfig/signatures.xml will be preserved. During the installation the signatures.xml file in the auto update is compared using xdiff. Any changes from the auto update and /store/configservices/staging/globalconfig/signatures.xml are merged together if the XML is properly formatted and it contains both <appid> and <sigid> values.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Flows","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":""}]

Document Information

Modified date:
13 August 2019